Saturday, May 23, 2009

Phishing for Bucks

My last blog entry on Phacebook Phishing scams generated some questions about Phishing. Phishing is a scam where Internet fraudsters will send seemingly authentic spam or pop-up messages with the intent of luring personal and financial information from unsuspecting victims. Quite often the emails or pop up messages appear official and may contain exact fonts, graphics and other layout items to mimic a real website such as a bank, internet service provider, email account, etc. They typically prompt you to enter in your private information such as account number, password, address, SIN, credit card numbers etc.

Follow these basic steps to avoid getting 'hooked':
  1. Use anti virus/spyware/malware software - remember that some are better than others and you typically get what you pay for! I use Vipre Antivirus from Sunbelt Software because its light, efficient and effective. Keep your subscription and definitions up to date and set an autoscan at a time when your computer is actually on! Malwarebytes is a great free program that has outshone many of the top level malware programs that one would pay good money for. The paid version offers real-time protection and supports the developers on their efforts. If you need asstance with diagnosing or removing an infection you can reach me here.

  2. Use Phishing protection - the top level browsers (IE7, Firefox, Chrome, Safari) and email clients have built in Phishing protection but, to date, the results are inconsistent. An Anti Phishing protection toolbar recieving great praise is freeware from Netcraft. Anti Phishing programs basically exposes the website or links true internet address and in most cases a risk rating is also provided. For example the real facebook website is located here -> Facebook and this link -> 'Click to visit the real Facebook' suggests linking to Facebook but it doesn't. (Links to Datashield website) How would one know which, if either, is the real ink? Anti Phishing programs are designed to give you an added advantage over the internet scammers but, like any security risk/solution area it's constantly evolving and for most users waaaay to complicated. Here's a link to a Wiki on Phishing and other vulnerabilities which I found informative.

  3. Don't email personal or financial information - email is easily read by almost anyone with some basic knowledge and one of many free packet scanners. There are a number of ways to encrypt your data including using Microsoft's Outlook, Mozilla's Thunderbird, PKzip, etc. There are also online secure email providers which provide a secure service. Never send your credit card, banking information or passwords via email!

  4. Don't reply to email or pop-up messages that ask for personal or financial information. Do not click on links in the message even if it seems legit - links can take you to pages where malicious software can download to your system and open the flood gates to all sorts of mischief. Hackers can make links look like they go one place, but that actually send you to a different site. The best way to navigate to a site is by physically typing the address in the browser address bar. (I know...what fun is that!)

  5. Use an aftermarket firewall that monitors both incoming and outgoing connections. Routers and Windows (XP and up) offer good quality firewalls but the default settings are less than informative as to what is coming and going from your system. Trojans can hide on your system quite easily as can key loggers. Trojans can provide access to your system remotely or even transmit personal information to an outside location. Key loggers will monitor your keystrokes and again send that info out to other people. I've had great results with Comodo's Free firewall. Comodo has packaged their highly configurable free firewall with an antivirus addon which can be disabled independently. A good product in my experience.

  6. Don't open email attachments unless you are expecting it! Many scammers will try and gain your confidence by emulating someone you may know. Common email subjects are used such as "Hey, its me!" or "I have a question" or "UPS delivery confirmation - verification required". Recently the Phacebook Phishing scam did just that - they created a dummy facebook logon and grabbed as many facebook emails as possible to get their scam going. Once you attempt to logon to the dummy site the hackers then have access to your Facebook account, personal information and email contact list. Away they go....

  7. Reviewing credit card and bank account statements as soon as you receive them is a good practice. Check for unauthorized charges and if your statement is late by more than a couple of days, call your bank/ credit card company and confirm your billing address. Once a scammer has enough of your personal information they can change billing addresses, increase amounts, apply for additional credit cards etc.

In spite of all the dark stuff, the internet remains a great place for access to information and other resources on almost anything. Unfortunately there are people who use technology to take advantage of the unsuspecting and the best thing anyone can do to keep the internet safe is to educate themselves on the types of risks out there and protect yourself in the event that you are infected with a virus, malware, scareware etc. Backup your data, report phishing attempts and don't pass on emails that are potentially unsafe.

Surf on Dudes!

No comments: